Banner Self Service
Monthly
Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.
Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.